[JDEV] Signed & encrypted messages
Mathew Johnston
johnston at megaepic.com
Sun May 27 16:49:11 CDT 2001
I see what you mean now. I am not entirely convinced, however,
that this is necessary when using X509 certificates since
you are concerned with the integrety of the certificate, and the
trustworthyness of the certificate authority, not where the particular
copy of the certificate came from. Personally, I think x509 certificates
are a good choice since there is already a lot of x509 infrastructure out
there, and x509 provides us with specification of encryption algorithms,
third party signing, key management, etc. I'd like to hear arguements for
or against different key exchange schemes. I think we need the following
key exchange properties:
- ability to access users public key when user is not online
- ability to verify authenticity of the key
- ability to request key for use with particular algorithms
- ability to manually exchange keys (write down on paper and type
them back in, etc)
I think x509 can fulfil the first three properties. The fourth
property would be up to clients. Since there may be more than
one certificate (for each different algorithm) we can't really
put them all into a user's vcard, since that would be too big.
However, someone mentioned that there is a way for clients to
store data on a jabber server, to be querried for by other clients;
this could be used to store the certificates. (can anyone comment
on this further?) I'm not sure if this method allows for the naming
of chunks of data, but if it does we can allow querrying for
particular algorithms by using naming rules for each 509 certificate
resource. When the querry is returned, a name should be given to the
certificate so that it can be referenced when using it (so that
the recipient knows which certificate is being used)
In the end, this is all up to the Jabber Foundation to decide upon,
of course.
More information about the JDev
mailing list